any news? I know that it's not that easy to implement encryption with Jet Blue databases but you know, compliance and (data) security is a very important part, especially when you are using air-gapped-backups which are not on premises...

In that case, still no encryption. As said above, bitlocker is a way to do it, but I guess that won't work on your NAS either. I am not aware of potential encryption on a JetBlue database at this moment but to restore data, you will need the organization username and password.

Just opening the database will give you a lot of columns and tables, but it won't make any sense

I would like to start hosting tenets data on my environment, I can split the tenets so that they cant see each other data but what stops anyone on the SP side from accessing any data in the backups.
Ideally each tenet should be able to encrypt/lock down a backup so that I as service provider don't have access to the whole organisations email

Understood the use-case. But as you can see above we don't have it at this moment. This is certainly something we have in mind but the next version won't contain it. We are focused on delivering the SharePoint and OneDrive requirements first. After that we can put it on the table again

Hi all!
I am hosting office 365 backup for some small tenants. This is because they have only Laptops and iOS devices and no infrastructure for doing Office365 Backup.

I figured out that on my infrastructure I can open the backup with Veeam Explorer for Exchange without needing any password.
Regarding GDPR I am a processor, if I even store personal data for a customer. But if the data are encrypted, they are temporarely no personal data until decryption. So if I had only encrypted data on my repositories, I am not a processor and not affected by GDPR.

A Customer asked me to evaluate this regarding GDPR compliance, and I am afraid, this procedure is not compliant because anyone how get the files can access the data.
Ok, I can encyrpt the Storage where the office 365 files reside on. It is also not possible to copy the adb files because the office 365 Service keeps it locked. But every support engineer who as access to the infrastructure has also access to the tenants data.

In my opinion, to be able to operate Veeam Backup for Microsoft Office 365 and to avoid to be a processor, the data must be encrypted.
This is my private Technical Point of view, I am not a laywer!

To make sure we are on the same page. You are storing data, so you are a processor. No matter if it is encrypted or not. Being a processor under GDPR is defined very broad, and simply storing data makes you already a processor.

That being said: it is not because you have access to the files that you are not compliant. However, as a processor, you do need to be able to audit that access. Inside the solution, we are building logging (for the next version) that will allow you to audit who has opened Veeam explorer for exchange, what he or she has done (including previewing data) and what he/ she has restored. That is step 1.

I am very much aware that this is not enough, on the file level (through windows auditing) you will most probably need to do the same thing (or if you have another 3rd party solution for that). In the end, every "workload" can be temporary stopped and files can be copied. This goes for this solution but also for VMs, for files if you are hosting file services or even websites. Which means that every IT administrator in your environment can be doing unauthorized things.

A next step (as I said already above) is to take it one step further and get encryption at rest with a key (or keys) that are only known by tenants. But even in that case, you will have to do more as I explained above.

To conclude, trying to make sure that you as a processor don't have access to data is practically impossible, and it is also not forbidden. But being able to audit what is going on is possible and is necessary for audits and research in case something happens

For protecting the store - would standard windows file permissions work here? i.e. If we were to restrict folder permissions to a defined authorised user, and set the Veeam service to work under this context.

I have not tested and worked with standard windows file permissions but I assume it will work. It is indeed the Veeam service that accesses the data but please note the required permissions in the user guide (https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=20). It states that this service needs to run under the local system account

While I am proficient as a Service Provider for Veeam B&R, I am very new to this particular product. At this point, I am still doing a comparative analysis of CloudBerry, Veeam, and Datto's 365 backup products. Am I correct in understanding that Veeam's 365 backup product does not encrypt data at rest? If not, surely the data is encrypted in transit at least? I cannot seem to find anything about encryption (yay or nay) in Veeam Backup for Microsoft Office 365 2.0 User Guide.